Cannot create work profile!

Copper Contributor

"The security policy prevents the creation of a managed device because a custom OS is or has been installed on this device"

 

But the device is not rooted, it was forcefully removed from the portal.

 

Anyone has an idea to resolve this issue?

23 Replies

@iMadushaN  Is there a Custom ROM installed on the device?

@iMadushaN  What brand/model of device is it? Was it previously enrolled in your Intune tenant? Was it previously enrolled using a different method? (Device Admin, Fully Managed, etc.) Was the previous device registration removed from Intune prior to enrolling?

Which model you a re using and which version? is that OS version shows some different name other than android version which is not readable by intune like MIUI or ONEUI in device details which might me causing the issue?@iMadushaN 

@eglockling 

  1. What brand/model of device is it? 
    • clipboard_image_0.png
  2. Was it previously enrolled in your Intune tenant?
    • Yes
  3. Was it previously enrolled using a different method? (Device Admin, Fully Managed, etc.)
    • It was enrolled using "Corporate-owned, fully managed user devices"
  4. Was the previous device registration removed from Intune prior to enrolling?
    • Yes

@I_am_Rajesh  Hi, Please refer attached.

@iMadushaNIssue seems to be very strange because Device was working fine previously with Intune.

I think you had already tried this but just for checking you can try this step if not done already.

 ---- Have you used Serial Number or IMEI no for enrollment ? i think you must have tried with both but in case not than just use either one like if IMEI than re enroll using SN and Vice Versa.

 

I am not sure and also this could be not an issue but i think Intune is reading Samsung Experience 9.5 as custom OS instead of Android version.

 

Also once you can try to hard reset to factory setting if its allowed or feasible for you.

I have the same issue happening on multiple Samsung devices.  I have the default enrollment method set to work profiles.  As people re-enroll they are converted from device administrator.  

 

Within the last month I have seen these issues.  

has this issue been resolved ? if not can you try disabling or removing knox app from samsung device and see if it works @iMadushaN 

@iMadushaN  Did you ever find a solution for this?  I am running into this same issue with another endpoint management solution.

@commputethis still the issue persists! 

@iMadushaN 

 

So they are first enrolled in work profile, then enrolled into DA.

Are they trying to use the Samsung 'Mail' app?

@Thijs LecomteNope its new device and we have enrolled 1st time (AE), for mail app -- ans is No because Intune portal configuration itself blocking with error so unable to proceed further

@iMadushaN 
I was working on a case like this one and I stumbled with the following Samsung Official Documentation: 

https://support.samsungknox.com/hc/en-us/articles/115013562087-What-is-a-Knox-Warranty-Bit-and-how-i...

https://support.samsungknox.com/hc/en-us/articles/115013719548

https://support.samsungknox.com/hc/en-us/articles/360039680233-Knox-Cloud-Services-KCS-solutions-do-...

Refer to The documentation above: 

This flag is a security feature that detects if unofficial software has been installed on your phone. This helps prevent malicious attempts from accessing your data.

The Knox Warranty Bit detects if a non-Knox kernel has been loaded on the device. It is a one-time programmable bit e-fuse, which can only be turned from 0X0 to 0X1 (i.e. tripped). If a non-Knox boot loader or kernel has been installed on the device, Knox can no longer guarantee the security of the Knox container. As a result, the Warranty Bit is tripped to 0X1…

If the Knox bit has tripped:

  • A new Workspace can no longer be created on such a device.
  • The data encrypted and stored in an existing Workspace can no longer be retrieved.
  • Other Samsung services that utilize Knox security stop working (Samsung Pay, Secure Folder.)

    Hope this helps.

@Estivengsv After working with my companies IT people, they have informed me that this is an issue with Android 10.

 

Intune worked on my device previously, but after a large update my work associated apps (Teams & Outlook) no longer updated and directed me to install Intune Company Portal that was already installed on my phone. 

 

I have a Samsung Galaxy S10 Plus

Phone Software Details:

Phone Info.png

 

 

I uninstalled Company Portal, Outlook and Teams, restarted my phone and then downloaded Company Portal to start over fresh. I logged in with my company username and password and tried to create a new "Work profile". However, every time the profile creation would fail I would get the same error:

Screenshot_20200522-141310_Work Setup.jpg

 

After a few more attempts I broke down and went to IT.

 

They told me the following;
"The custom OS error has to do with a ROM variant the Android put out the Microsoft reads as non-standard. Microsoft is supposed to be releasing an update for InTune Company Portal to address this, but they haven't yet. It's an issue w/ Android 10. They can't fix it without pushing a whole new ROM (and we all know how long it takes Samsung to push Android updates), and MS can easily fix it (allegedly)."

 

So for now I am unable to use Teams or Outlook on my device. Hopefully I will hear more about this supposed update when IT learns a bit more.

 

Hope this helps anyone else out there experiencing the same thing.

@rgildersleeveI had same problem with Enterprise Enrollment on Samsung Tab S5e. The solution was to upgrade the device to latest Firmware. I had to flash with Odin-Tool. After that it worked like a charm.   

I am having the same issue. My Samsung Note9 has triggered knox (previously rooted). But at the moment it is running stock room with the latest update and security patch installed. It is still giving me the error "the security policy prevents the creation of a work profile because a custom OS has been installed on this device"

Note that before this company portal was running perfectly fine. Now I reinstalled it and tried to login and create work profile, it does not allow anymore

 

@I_am_Rajesh Is this as in forever. I purchased a second hand Galaxy S10+ not knowing about Knox. It has stock firmwhere on it. I have also re-flashed the original stock firmware via Odin to make sure and I am unable to install InTune. It said the Knox bit us 0x01 so looks like it has custom firmware in the past.

 

I bought this to be a work phone. This is stupid. Is there ANYWAY I can get round this?